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This work introduces a general multi-level model for self-adaptive systems. A self-adaptive system 
is seen as composed by two levels: the lower level describing the actual behaviour of the system and 
the upper level accounting for the dynamically changing environmental constraints on the system. In 
order to keep our description as general as possible, the lower level is modelled as a state machine 
and the upper level as a second-order state machine whose states have associated formulas over 
observable variables of the lower level. Thus, each state of the second-order machine identifies 
the set of lower-level states satisfying the constraints. Adaptation is triggered when a second-order 
transition is performed; this means that the current system no longer can satisfy the current high-level 
constraints and, thus, it has to adapt its behaviour by reaching a state that meets the new constraints. 
The semantics of the multi-level system is given by a flattened transition system that can be statically 
checked in order to prove the correctness of the adaptation model. To this aim we formalize two 
concepts of weak and strong adaptability providing both a relational and a logical characterization. 
We report that this work gives a formal computational characterization of multi-level self-adaptive 
systems, evidencing the important role that (theoretical) computer science could play in the emerging 
science of complex systems. 

1 Introduction 

Self-adaptive systems are a particular kind of systems able to modify their own behaviour according to 
their environment and to their current configuration. They learn from the environment and develop new 
strategies in order to fulfil an objective, to better respond to problems, or more generally to maintain 
desired conditions. Self-adaptiveness is an intrinsic property of the living matter. Complex biological 
systems naturally exhibit auto-regulative mechanisms that continuously trigger internal changes accord- 
ing to external stimuli. Moreover, self-adaptation drives both the evolution and the development of living 
organisms. 

Recently there has been an increasing interest in self-adaptive properties of software systems. In ifTTl 
the following definition is given: "Self-adaptive software evaluates its own behaviour and changes be- 
haviour when the evaluation indicates that it is not accomplishing what the software is intended to do, 
or when better functionality or performance is possible." 

As a matter of fact, software systems are increasingly resembling complex systems and they need 
to dynamically adapt in response to changes in their operational environment and in their require- 
ments/goals. Two different types of adaptation are typically distinguished: 

• Structural adaptation, which is related to architectural reconfiguration. Examples are addition, 
migration and removal of components, as well as reconfiguration of interaction and communication 
patterns. 

• Behavioural adaptation, which is related to functional changes, e.g. changing the program code or 
following different trajectories in the state space. 
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Several efforts have been made in the formal modelling of self-adaptive software, with particular 
focus on verifying the correctness of the system after adaptation. Zhang et al. give a general state-based 
model of self-adaptive programs, where the adaptation process is seen as a transition between different 
non-adaptive regions in the state space of the program ll23l . In order to verify the correctness of adap- 
tation they define a new logic called A-LTL (an adapt-operator extension to LTL) and model-checking 
algorithms [24] for verifying adaptation requirements. In PobSAM |[T3l[T4l actors expressed in Rebeca 
are governed by managers that enforce dynamic policies (described in an algebraic language) according 
to which actors adapt their behaviour. Different adaptation modes allow to handle events occurring dur- 
ing adaptation and ensuring that managers switch to a new configuration only once the system reaches a 
safe state. Another example is the work by Bruni et al. [0 where adaptation is defined as the run-time 
modification of the control data and the approach is instantiated into a formal model based on labelled 
transition systems. In [5], graph-rewriting techniques [18] are employed to describe different charac- 
terizations of dynamical software architectures. Meseguer and Talcott [ 19] characterize adaptation in a 
model for distributed object reflection based on rewriting logic and nesting of configurations. Theorem- 
proving techniques have also been used for assessing the correctness of adaptation: in Jl61 a proof lattice 
called transitional invariant lattice is built to verify that an adaptive program satisfies global invariants be- 
fore and after adaptation. In particular it is proved that if it is possible to build that lattice, then adaptation 
is correct. 

There are several other works worth mentioning, but here we do not aim at presenting an exhaustive 
state-of-the-art in this widening research field. We address the interested reader to the surveys EED for 
a general introduction to the essential aspects and challenges in the modelling of self-adaptive software 
systems. 

1.1 A multi-level view of self-adaptation 

Complex systems can be regarded as multi-level systems, where two fundamental levels can be distin- 
guished: a behavioural level B accounting for the dynamical behaviour of the system; and a higher 
structural level 5 accounting for the global and more persistent features of the system. These two levels 
affect each other in two directions: bottom-up, e.g. when a collective global behaviour or new emer- 
gent patterns are observed; and top-down, e.g. when constraints, rules and policies are superimposed on 
the behavioural level. These two fundamental levels and their relationships are the base to scale-up to 
multi-level models. In a generic multi-level model, any n-th level must resemble the behavioural level, 
the corresponding n + 1 -level has to match with the structural level and the relationships between them 
will have to show the same characteristics. We discuss how this scale-up is implemented in our setting 
in Section |5] 

Multiple levels arise also when software systems are concerned. For instance, in @] Corradini et al. 
identify and formally relate three different levels: the requirement level, dealing with high-level prop- 
erties and goals; the architectural level, focusing on the component structure and interactions between 
components; and the functional level, accounting for the behaviour of a single component. Furthermore, 
Kramer and Magee [ 15 ] define a three-level architecture for self-managed systems consisting of a com- 
ponent control level that implements the functional behaviour of the system by means of interconnected 
components; a change management level responsible for changing the lower component architecture 
according to the current status and objectives; and a goal management level that modifies the lower 
change management plans according to high-level goals. Hierarchical finite state machines and State- 
charts [11] have also been employed to describe the multiple architectural levels in self-adaptive software 
systems Ifl2"ll22ll . 
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In this work we introduce S[B]-systems: a general state-based model for self-adaptive systems where 
the lower behavioural level describes the actual dynamic behaviour of the system and the upper structural 
level accounts for the dynamically changing environmental constraints imposed on the lower system. The 
B-level is modelled as a state machine B. The upper level is also described as a state machine where each 
state has associated a set of constraints (logical formulas) over variables resulting from the observation 
of the lower-level states, so that each 5-state identifies the set of B-states satisfying the constraints. 
Therefore, a set of dynamically changing constraints underlies a second-order structure S whose states 
are sets of B-states and, consequently, transitions relate sets of B-states. 

We focus on behavioural and top-down adaptation: the B-level adapts itself according to the higher- 
level rules. In other words the upper level affects and constrains the lower level. Adaptation is expressed 
by firing a higher-order transition, meaning that the S-level switches to a different set of constraints and 
the B-level has adapted its behaviour by reaching a state that meets the new constraints. Our idea is 
broadly inspired by Zhang et al. ll23ll . i.e. the state space of an adaptive program can be separated into 
a number of regions exhibiting a different steady-state behaviour (behaviour without reconfiguration). 
However, in our model the steady-state regions are represented in a more declarative way using con- 
straints associated to the states of the S-level. Moreover, in S[B] -systems not only the behavioural level, 
but also the adaptation model embedded in the structural level is dynamic. Adaptation of the B-level 
is not necessarily instantaneous and during this phase the system is left unconstrained but an invariant 
condition that is required to be met during adaptation. Differently to l23l . the invariants are specific for 
every adaptation transition making this process controllable in a finer way. The semantics of the multi- 
level system is given by a flattened transition system that can be statically checked in order to prove the 
correctness of the adaptation model. To this aim we also formalize the notion of adaptability, i.e. the 
ability of the behavioural level to adapt to a given structural level. We distinguish between weak and 
strong adaptability, providing both a relational and a logical characterization for each of them. 

S [B] -systems has been inspired by some of the authors' recent work in the definition of a spatial 
bio-inspired process algebra called Shape Calculus HI31. In that case, a process S[B] is characterized by 
a reactive behaviour B and by a shape S that imposes a set of geometrical constraints on the interactions 
and on the occupancy of the process. This idea is shifted in a more general context in the S [B] -systems 
where, instead, we consider sets of structural constraints on the state space of the B-level. We want to 
underline that previous work and, mainly, this work have been conceived as contributions not only in the 
area of adaptive software system, but also in the area of modelling complex natural systems. 

The notion of multiple levels that characterizes our approach for computational adaptive systems is 
something well-established in the science of complex systems. As pointed out by Baianu and Poli flU 
"All adaptive systems seem to require at least two layers of organization: the first layer of the rules 
governing the interactions of the system with its environment and with other systems, and a higher-order 
layer that can change such rules of interaction." ,S[fi] -systems are similarly built on two levels: the 
B-level describes the state-based behaviour of the system and the 5-level regulates the dynamics of the 
lower level. In our settings, communication and interactions are not explicitly taken into account. Indeed 
the behavioural finite state machine can describe the semantics of a system made by several interacting 
components. 

Another accepted fact is that higher levels in complex adaptive systems lead to higher-order struc- 
tures. Here the higher 5-level is described by means of a second order state machine (i.e. a state ma- 
chine over the powerset of the B-states). Similar notions have been formalized by Baas HI with the 
hyperstructures framework for multi-level and higher-order dynamical systems; and by Ehresmann and 
Vanbremeersch with their memory evolutive systems iPTOl , a model for hierarchical autonomous systems 
based on category theory. 
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The paper is organized as follows. Section|2]introduces the formalism and the syntax of »S[B]-systems, 
together with an ecological example that will be used also in the following. In Section [3] we give the op- 
erational semantics of a S[B]-system by means of a flattened transition system. In Section|4]we formalize 
the concepts of weak and strong adaptability both in a relational and in a logical form. Finally, conclu- 
sions and possible future developments of the model are discussed in Section [5] 

2 A multi-level state-based model 

An 5 [B] -system encapsulates both the behavioural (B) and the structural/adaptive (S) aspects of a system. 
The behavioural level is classically described as a finite state machine of the form B = (Q,qo,—>B)- In 
the following, the states q € Q will also be referred to as B- states and the transitions as B-transitions. 

The structural level is modelled as a finite state machine S = (B,ro,— >s,L) (R set of states, ro initial 
state, — >s transition relation and L state labelling function). In the following, the states r G R will be 
also referred to as 5-states and the transitions as S-transitions. The function L labels each 5-state with 
a set of formulas (the constraints) over an observation of the B-states in the form of a set of variables 
X. Therefore an 5-state r uniquely identifies the set of B-states satisfying L(r) and S gives rise to a 
second-order structure (R C 2@,ro,— >sC 2^ x 2@,L). 

In this way, behavioural adaptation is achieved by switching from an 5-state imposing a set of con- 
straints to another 5-state where a (possibly) different set of constraints holds. During adaptation the 
behavioural level is no more regulated by the structural level, except for a condition, called transition 
invariant, that must be fulfilled by the system undergoing adaptation. We can think of this condition 
as a minimum requirement to which the system must comply to when it is adapting and, thus, it is not 
constrained by any 5-state. 

Note that an 5 [B] -system dynamically adapts and reconfigures its behaviour, thus both the behavioural 
level and the structural level are dynamic. 

Definition 1 (^[Bl-system behaviour) The behaviour of an S[B]-system S[B] is a tuple B = (Q, qo, 
where 

• Q is a finite set of states and qo £ Q is the initial state; and 

• — >gC Q x Q is the transition relation. 

In general, we assume no reciprocal internal knowledge between the S- and the B-level. In other 
words, they see each other as black-box systems. However, in order to realize our notion of adaptiveness, 
there must be some information flowing bottom-up from B to S and some information flowing top-down 
from S to B. In particular, the bottom-up flow is modelled here as a set of variables X = {x\ ,x n } called 
observables of the 5-level on the B-level. The values of these variables must always be derivable from 
the information contained in the B-states, which can possibly hold more "hidden" information related 
to internal activity. This keeps our approach black-box-oriented because the 5-level has not the full 
knowledge of the B-level, but only some derived (e.g. aggregated, selected or calculated) information. 
Concerning the top-down flow, the B-system only knows whether its current state satisfies the current 
constraint or not. If not, we can assume that the possible target 5-states and the relative invariants are 
outputted by the 5-system and given in input to the B-system. 

Definition 2 (SIBl-system structure) The structure of an S[B]-system S[B] is a tuple S = (R, ro, — »s,L), 
where 

• R is a finite set of states and ro G R is the initial state; 
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• — >sC R x &(X) x Ris a transition relation, labelled with a formula called invariant; and 

• L : R — > <&{X) is a function labelling each state with a formula over a set of observables X = 
{x\ , . . . ,X,t}. 

Thus, an »S[fi]-system has associated a finite setX = {x\ ,x n } of typed variables over finite domains 
{D\,...,D n } whose values must be completely determined in each state of Q. More formally, 

Definition 3 (Observation Function) Given an S[B]-system S[B] with a set X = {x\ , . . . ,x n } of observ- 
ables, an observation function & : Q — > riLi A' is a total function that maps each B-state q to the tuple 
of variable values [y\ , . . . , v„) G D\ x ... x D n observed at q. 

Note that we do not require this function to be bijective. This means that some different states can 
give the same values to the observables. In this case, the difference is not visible to S, but it is internal to 
B. 

We indicate with <£>(X) the set of formulas over the variables in X. We assume that constraints are 
specified with a first-order logic-like language. 

Definition 4 (Satisfaction relation) Let S[B] be a S[B]-system with asetX = {x\ , . . . ,x n } of observables 
and with an observation function iff. A state q 6 Q satisfies a formula (p G ^(X), written q |= (p, iff (p is 
satisfied applying the substitution { Vl jx\ , . . . , v " /x n }, where 0(q) = (vi, . . . , v n ), using the interpretation 
rules of the logic language. 

Let us also define an evaluation function [[_]] : ^{X) — > 2^ mapping a formula (p G ^(X) to the set 
ofB-states Q' = {q G Q \ q |= <p}, i.e. those satisfying (p. 

Let us now give an intuition of the adaptation semantics. Let the active 5-state be r,- and r ; rj. 
Assume that the behaviour is in a steady state (i.e. not adapting) qi and therefore qi |= L(r,). If there are 
no B-transitions — qj such that qj \= L(r,) the system starts adapting to the target 5-state rj. In this 
phase, the B-level is no more constrained, but during adaptation the invariant (p must be met. Adaptation 
ends when the behaviour reaches a state such that qi |= L{rf). 

The following definition determines when the structure S of a S [B] -system is well formed, that is: 
it must no contain inconsistencies w.r.t. all possible variable observations and the initial B-state must 
satisfy the initial 5-state. 

Definition 5 (Well-formed structure) Let S[B] be a S[B]-system. The structural level S is well-formed 
if the following conditions hold: 

• for all S-states r£R, L(r) must be satisfiable, in the sense that there must be a variable observation 
under which L(r) holds (3q 6 Q. q\= L{r) ) and 

• the initial B-state must satisfy the constraints in the initial S-state, i.e. qo |= L(ro). 

In the remainder of the paper we assume to deal with well-formed structures without explicitly men- 
tioning it. 

2.1 An example from ecology 

In this part we introduce a case study in the field of ecology and population biology: the adaptive 1- 
predator 2-preyfood web. This system describes a variant of classical prey-predator dynamics where in 
normal conditions the predator consumes its favourite prey po. When the availability of po is no longer 
sufficient for the survival of the predator, it has to adapt its diet to survive and it consequently starts 
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(0,1,1,T,F) 




(0,0,1,F,F) 



Figure 1: The behavioural state machine B for the adaptive 1 -predator 2-prey food web example. Each 
state is characterized by a different combination of the variables (p, OQ,a\, eat , moved) (favourite prey, 
availability of po, availability of p\, has the predator eaten?, has the predator migrated?). The initial state 
is (0, 1 , 1 , true, false). All the states where moved = true has been grouped for simplicity to a single state 
(_,_,_, _true). 



consuming another species p\. For the sake of showing the features of our model, here we present an 
oversimplified version of this system that omits quantitative aspects like predation rates and growth of 
prey. We assume that the predator initially consumes the prey p$ (variable p = 0) and that prey may be 
available (variable a,- = 1 , i = 0, 1) or not (variable a, =0, i = 0, 1). The effect of consuming an available 
prey is to make that prey unavailable, as expected. The predator may also decide not to eat and change 
its diet (variable p = 1). A boolean variable tells whether in the current state the predator has eaten some 
prey (variable eat). At each step the predator can do one of the following: 

• eat the currently favourite prey if available (a; <— a, — 1 and eat <— true); 

• do not eat and switch its favourite prey (p |1 — p\ and eat <— false); or 

• do not eat. 

Finally, if the predator does not feed itself for two consecutive times, it migrates to a more suitable 
habitat (variable moved = true) and no further actions are possible. The attentive reader may notice that 
under these restrictions the system will inevitably lead to a state where the predator moves to a different 
habitat. This is due to the fact that prey growth is not modelled here and it is always the case that the 
system eventually reaches a state where the predator cannot feed because of the unavailability of both 
prey. Each state of the behavioural level (depicted in Fig. [TJ is described by a different evaluation of the 
involved variables: 



(p, ao,a\, eat , moved) £ {0, 1} x {0, 1} x {0, 1} x {false, true} x {false, true}. 
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(0,1,0,F,F) >\ (0,0,0,T,F) 



Figure 2: S-states determining stable regions in the adaptive 1 -predator 2-prey system. 



In this example we consider two different 5-levels (represented in Fig. [3]>: So and Si, but with the 
same set of S-states. More specifically So is given by: 



R- 
L{r)- 



{ro,n,r 2 } 

f -amoved 

{ro 
{P- 
{P- 



-^eat —rnioved 
> n,ro — > r 2 ,n > r ,n 



A {-^eat = 
■ 1 A {-^eat = 
{moved} if r = r 2 . 



ao > 0) A -amoved} if r = ro 
a i > 0) A amoved} if r = r\ 



On the other hand, S\ differs from So only in the transition function, that is: 

t p==\ ^eat 

->s = {ro >n,n — >r 2 \ 

The three different S-states model three different stable regions in the prey-predator dynamics: 

• ro : the predator consumes po. More precisely, the constraints require that the favourite prey must 
be po (p == 0); that the predator has not moved to another habitat {-amoved); and that if the 
predator is not currently feeding, the prey po must be available so that the predator can eat in the 
following step (-<eat =>• ao > 0). 

• r\ : the predator consumes p\\ the constraints are the same as ro, but referred to prey p\. 

• r 2 : the predator has migrated. 

Figure[2]shows how the structural constraints identify different stable regions in the behavioural level. 
The adaptation dynamics, regulated by the transitions in So, allow the predator to adapt from ro to r\, 
under the invariant -amoved indicating that during adaptation the predator cannot migrate. The equivalent 
S-transition is defined from ri to ro, so that the predator is able to return to its initially favourite prey. 
Both from ro and n a S-transition to r 2 is allowed under the invariant -<eat. In this way, the predator can 
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P = =0 A 

(leat - ao > 0) a 
1 moved 



p==l A 
(leat -» ai > 0) a 
l moved 



'2 

moved 



(a) The state machine So 



(b) The state machine Si 



Figure 3: The two different structural levels So and Si in the adaptive 1 -predator 2-prey food web ex- 
ample. In each S-state r, the constraint imposed to the behavioural level are represented. Transition 
labels indicate adaptation invariants. Sq allows the predator to adapt its diet and migrate due to starvation 
anytime. In S\ adaptation is guided from ro (consume prey po), to r\ (consume prey p\) and finally to ri 
(migration). 



adapt itself and migrate to a different habitat under starvation conditions. On the other hand, the transition 
relation in S\ has been defined in a simpler way, which makes the predator adapt deterministically from 
ro to n and finally to r%. In this case, the adaptation invariant from ro to r\ requires that the predator has 
changed its diet to prey p\. 

The following section will show the operational rule for deriving the transitional semantics of the 
S[B]-system as a whole and the semantics of Sq{B] and Si[B] in the adaptive 1-predator 2-prey system 
will be given as well. 



3 Operational semantics 

In this part, we give the operational semantics of an S[B] -system as a transition system resulting from the 
flattening of the behavioural and of the structural levels. We obtain a Labelled Transition System (LTS) 
over states of the form (q,r,p), where 

• q G Q and r G R are the active B-state and S-state, respectively; and 

• p keeps the target S-state that can be reached during adaptation and the invariant that must be 
fulfilled during this phase. Therefore p is either empty (no adaptation is occurring), or a singleton 
{(<p, r')}, with q> € <J>(X) a formula and r' G R an S-state. 

Definition 6 (Flat S[B] — system) Let S[B] be an S[B]-system. A flat S[B]-system is a LTS F(S[B]) = 

(F,/ ,Au where 

• F <ZQxRx 2® {x ') xR is the set of states; 

• fo = (<?o,?"o,0) is the initial state; 

• 4cfxF, with r G R, is a family of transition relations between non-adapting states satisfying 
L(r); and 

• > C F xF, with r, r' G R and (p G <&(X), is a family of transition relations between states during 

the adaptation determined by the S-transition r -^>s r'. As a consequence it holds that for all r, r', <p, 

r tjbj 1 „ 

Table[T]lists the set of rules characterizing the flattened transitional semantics of an 5[B]-system: 

• Rule Steady describes the steady (i.e. non-adapting) behaviour of the system. If the system is 
not adapting and the B-state q can perform a transition to a q' that satisfies the current constraints 
L(r), then the flat system can perform a non-adapting transition — > of the form (q, r, 0) — > (q' ,r, 0). 
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AdaptStart- 



q 4 q' (= Ur) 

S TEADY 

(q,r,d) 4(<?',r,0) 

Vq".(q^ B q" =^ q"\^L(r)) q^ B q' r % / q' \= <p 
q^ B q' q'\=9 q^L(r') 

Adapt- 



AdaptEnd 



(q,r,{(<PS)})^WMi<Py)}) 

qY-rn 



Table 1: Operational semantics of a 5[B]-system 

• Rule ADAPTS TART regulates the starting of an adaptation phase. Adaptation occurs when none 
of the next B-states satisfy the current specification (\/q" .(q — >b q" ==> q" y= L(r)), or more 
compactly [q, r,0) -ft). In this case, for each ^-transition r — r an adaptation towards the target 
state r' under the invariant <p starts and the flat system performs an adapting transition > ' <P ' r > of the 
form O,r,0) ^> (?',r,{(<p/)}). 

• Rule Adapt describes the evolution during the actual adaptation, leading to transitions of the 

r (p f' 

form (<7,r, {(<p,r)}) > ,r, {(<p,r)})- During adaptation the behaviour is not regulated by 
the specification and it must not satisfy the target constraints L(r') (q y= L(r')). We also require 
that the invariant cp € 0>(X) must always hold during this phase. Note that the semantics does not 
immediately assure that a state where the target formula holds is eventually reached. Formulations 
of the adaptability requirement are given in Section [4] 

• Rule AdaptEnd describes the end of the adaptation phase, i.e. a transition r ' ' > from an adapting 
state (q,r,{((p,r')}) where q satisfies the set of target constraints (q' \=L(r')), to the steady non- 
adapting state (q,r',(b). 

Note that rules Steady+AdaptStart ensure that there cannot exist a non-adapting state with both 

an outgoing non-adapting transition A and an outgoing adapting transition r ' (p '' "> . Conversely, rules 
ADAPT+ AdaptEnd ensure that there cannot exist an adapting state with both an outgoing non-adapting 
transition and an adapting transition. 

The flattened transitional semantics of the two systems Sq[B] and S\[B] in the adaptive 1 -predator 
2-prey food web example presented in Section 2.1 is depicted in Figure [4j First, we observe that the 



flat So [B] system has a larger state space than the flat Si [B] , due to the higher number of S-transitions 
in So. In both cases two different adaptation phases can be noticed, the first starting from the flat state 
((0,0, 1, true, false), ro,0) and the second starting from ((1,0,0, true, false), n,0). While in Sq[B] it is 
possible to adapt to the migration region also in the first phase, in S\ [B] this is possible only in the second 
phase, i.e. when both prey become unavailable. Moreover in So[B], we notice that in each adaptation 
phase there always exists an adaptation path leading to a target stable region, but some adaptation paths 
cannot proceed because they violate the invariant. Conversely, in S\[B] every adaptation path leads 
to a target 5-state. Therefore the same behavioural level B possesses different adaptation capabilities, 
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depending on the structure S it is embedded in. These two different kinds of adaptability are formalized 
in Section |U 

Although, depending on the structure S, the flat semantics could possibly lead to a model larger than 
the behavioural model B, the flat S[B]-system lends itself quite naturally to on-the-fly representation tech- 
niques. Indeed, during non-adapting phases it would be necessary to keep in memory just the subsystem 
restricted to the set [[£(/")]] C B of B-states that satisfy the current constraints L{r). On the other hand, 

as soon as an adaptation of the form (<?,r,0) > ,r, {(<p,r)}) takes place, it would be sufficient to 
store those B-states q" such that q" \= cp Aq" y= L(r'), i.e. those state where the invariant is met, but the 
target constraints are not. 

4 Adaptability relations 

The above described transitional semantics for S[B] -systems does not guarantee that an adaptation pro- 
cess always leads to a state satisfying the target constraints, or that the system can always start adapting 
when the current constraints are not met. We characterize this requirements on the adaptability of an 
S[B] -system by means of two binary relations over the set of B-states and the set of 5-states, namely the 
weak adaptability relation ffl w and the strong adaptability relation 3% s . 

Informally, B is weak adaptable to S if any active B-state q satisfies the constraints imposed by the 
active S-state r, or it can start adapting and there exists a finite path reaching a B-state q' satisfying the 
constraints dictated by a target 5-state r'. On the other hand, B is strong adaptable to S if any active 
B-state q satisfies the constraints imposed by the active 5-state r, or it can start adapting towards a target 
5-state / and all paths reach a B-state q' satisfying the constraints L(r') in a finite number of transitions. 

In the following definitions the notation — >' with i G N indicates the exponentiation of the transition 
relation — >, i.e. — >' = (—)■)' =— > (— We use this notation to remark that adaptation paths must be of 
finite length. 

Definition 7 (Weak adaptability) Weak-adaptability is a binary relation M w C Q x R defined as fol- 
lows. Let q G Q be a B-state and r £ Rbe an S-state. Then, q r iff 

• q \= L(r) and 

• for all q' G Q, whenever q — q', it holds that either 

- cf^w r, or 

- there exists q" G Q, (p G <£(X) , r 1 € R, i £ N, 

(q,r,d) tf,r,{(<PS)}) ^WSf) andq"@ w r>. 

Let S[B] be an S[B]-system. Then B is weak adaptable to S if their initial states are weak adaptable, i.e. 
qo &w r - 

Definition 8 (Strong adaptability) Strong-adaptability is a binary relation ffl s C Q x R defined as fol- 
lows. Let q G Q be a B-state and r G Rbe an S-state. Then, q £% s r iff 

• q |= L{r) and 

• for all q' G Q, whenever q — q', it holds that either 

- q'M s r, or 

- (q, r, 0) ,<P ' > (q',r, { (<p, r')}) for some <p G &(X) ,r' G R and every path starting from 

(q' ,r,{(<p,r)}) leads, in a finite number of consecutive > transitions, to a state (^",r',0) 
such that q"& s r> - 
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Let S[B] be an S[B]- system. Then B is strong adaptable to S if their initial states are strong adaptable, 

In the remainder of the paper we will alternatively say that a system S[B] is weak (strong) adaptable, 
in the sense that B is weak (strong) adaptable to S. It is straightforward to see that strong adaptability 
implies weak adaptability, since the strong version of the relation requires that every adaptation path 
reaches a target S-state, while the weak version just requires that at least one adaptation path reaches 
a target S-state. Now that a relational characterization of adaptability has been given, a concept of 
equivalence between B-states that are adaptable to the same S-states naturally arises. Therefore we 
define the weak adaptation equivalence and the strong adaptation equivalence over the set of B- states as 
follows. 

Definition 9 (Weak adaptation equivalence) Two B-states q\,qi G Q are said to be equivalent under 
weak adaptation, written q\ sa w q2, iff for each S-state r G R, q\ ffl w r <4=> q2 £% w r. 

Definition 10 (Strong adaptation equivalence) Two B-states qi,qi^Q are said to be equivalent under 
strong adaptation, written q\ th s q%, iff for each S-state r €zR, q\ 8% s r <s=> q2 & w r. 

As discussed in Section [3] the adaptive 1 -predator 2-prey system possesses different adaptation ca- 
pabilities depending on the structural level S. In particular we notice that the system Sq[B] is weak 
adaptable, since in each adaptation phase there always exists an adaptation path leading to a target S- 
state. Nevertheless, it is not strong adaptable because there are adaptation paths that violate the invariant 
and consequently cannot end adapting. On the other hand, Si [B] is strong adaptable, because every 
adaptation path leads to a target S-state. 

4.1 A logical characterization for adaptability 

In this part we formulate the above introduced adaptability requirements in terms of temporal formulae 
that can be statically checked on the flat S[B]-system. To this purpose we describe such properties in the 
well known CTL (Computational Tree Logic) [8], a branching-time logic whose semantics is defined in 
term of states. The set of well-formed CTL formulas are given by the following grammar: 

::= false | true |/?|^0|0A0|0V0| AX0 | EX0 | AF0 | EF0 | AG0 | EG0 | A[0U0] | E[0U0], 

where p is an atomic proposition, logical operators are the usual ones (->, A, V) and temporal operators 
(X next, G globally, F finally, U until) are preceded by the universal path quantifier A or the existential 
path quantifier E. Starting from a state s, CTL operators are interpreted as follows. AX0: for all paths, 
holds in the next state; EX0: there exists a path s.t. holds in the next state; AF0: for all paths, 
eventually holds; EF0: there exists a path s.t. eventually holds; AG0: for all paths, always holds; 
EG0: there exists a path s.t. always holds; A[0iU02]: for all paths, (j>\ holds until 02 holds; and 
E[0iU02]: there exists a path s.t. </>i holds until 02 holds). 

In the following we provide the CTL formulas characterizing a weak adaptable and a strong adaptable 
S[B]-system. Formulas are evaluated over the flat semantics and we employ the proposition adapt to 
denote an adapting state. More formally, given a flat S[B]-system F and a state s = (q s ,r s ,p s ), (F,s) |= 
adapt if and only if p s ^ 0. Additionally, the connective </>i 02 has the usual meaning: -i0i V 02- 

• Weak adaptability: for all paths, it always holds that as soon as adaptation starts, there exists at 
least one path for which the system eventually ends the adaptation phase leading to a target S-state. 




(4.1) 
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• Strong adaptability: for all paths, it always holds that whenever the system is in an adapting state, 
for all paths it eventually ends the adaptation phase leading to a target S-state. 

AG{adapt ==> AF -^adapt) (4.2) 
Proposition 1 (Equivalent formulations of weak adaptability) LetS[B] be an S[B]-system. Then, S[B] 



is weak adaptable if and only ifS[B] satisfies the weak adaptability CTL formula ( equation 4. 1 I. Formally, 
qo M s ro <^=^ (F,fo) |= AG{{-^adapt A EX adapt) EF -^adapt), where F is the flat semantics of 
S[B], qo, ro and fo are the initial states of the behavioural level B, of the structural level S and of the 
flattened system F, respectively. 

Proposition 2 (Equivalent formulations of strong adaptability) Let S[B] be an S[B}-system. Then, 
S[B] is strong adaptable if and only if S[B] satisfies the strong adaptability CTL formula (equation \4.2\ . 
Formally, qo ro ^=> (F,fo) |= AG(adapt ==^ AF -^adapt), where F is the flat semantics of S[B], 
qo, ro and fo are the initial states of the behavioural level B, of the structural level S and of the flattened 
system F, respectively. 

Note that since we assume that the behavioural and the structural state machines are finite state, then 
the CTL adaptability properties can be model checked. This means that the defined notions of weak and 
strong adaptability are decidable. 



5 Discussion and conclusion 

In this work we presented S [B] -systems, a general multi-level model for self-adaptive systems, where 
the lower B-level is a state machine describing the behaviour of the system and the upper 5-level is 
a second-order state machine accounting for the dynamical constraints with which the system has to 
comply. Higher-order 5-states identify stable regions that the B-level may reach by performing adaptation 
paths. An intriguing (but here simplified) case study from ecology has been provided to demonstrate 
the capabilities of 5[B]-systems: the adaptive 1-predator 2-prey system. The semantics of the multi- 
level system is given by a flattened transition system and two different concepts of adaptability (namely, 
weak and strong adaptability) have been formalized, both in a relational flavour and with CTL formulas 
that can be model checked. We report that this work gives a formal computational characterization of 
self-adaptive systems, based on concepts like multiple levels and higher-order structures that are well- 
established in the science of complex systems. 

Note also that in this work we defined in details just two levels, namely the 5-level and the B-level. 
However, our approach can be easily extended in order to consider multiple levels arising from the 
composition of multiple 5[B]-systems. Let {S"[B"]i \ i G /} be a set of ,S[fi] -systems at a certain level n. 
Their parallel composition would be defined as S n [B"]j. Then, if we let B n+1 = S n [B"]i be the 
behavioural state machine at level n + 1, an higher-level S [B] -system 5" +1 [B" +l ] can be built by defining 
a structure S" +l at level n + 1, together with a set of observable variables X n+l and with an observation 
function & n+l . 

The present work is just an initial attempt and several extensions can be integrated into the model 
in the next future. First, the definition of a higher-level algebraic language for specifying 5[B]-systems 
would be useful in order to handle more complex and larger models of adaptive systems. Additionally, 
we are currently investigating further adaptability relations and different models for the structural level, 
where adaptation can occur not only when no possible future behaviours satisfy the current constraints, 



E. Merelli, N. Paoletti & L. Tesei 



125 



but also when stability conditions are met. Then, another possible research direction would be embed- 
ding quantitative aspects into the two levels of an 5 [B] -system. In this way, an 5-transition would have 
associated a measure of its cost/propensity, for distinguishing the adaptation paths more likely to occur 
(e.g. in the 1 -predator 2-prey example, the predator adapting its diet), to those less probable (e.g. the 
predator migrating even under prey availability conditions). 

Finally we assume that the reciprocal knowledge between the two levels is limited: they see each 
other as black-box systems. However, this approach could be extended in order that the structure S has 
a more comprehensive knowledge of the behaviour B. Under the white-box assumption, the structure 
could act as a sort of monitor that is able to statically check the behavioural model for properties of 
safe adaptation. In this way, the system will know in advance if an adaptation path eventually leads to 
a target 5-state and if not, it will avoid that path. In other words, runtime model checking techniques 
allows the system to behave in an anticipatory way. Anticipation is a crucial property in complex self- 
adaptive systems, since it makes possible to adjust present behaviour in order to address future faults. A 
well-know definition is given by Rosen GUI : "An anticipatory system is a system containing a predictive 
model of itself and/or its environment, which allows it to change state at an instant in accord with the 
model's predictions pertaining to a later instant". In the settings of 5[B]-systems, the predictive model 
of the system could be the behavioural level itself, or a part of it if we assume that S does not have a 
complete knowledge of B and is able to "look ahead" only at a limited number of future steps. The 
verdict of runtime model checking would be what Rosen refers to as model's predictions. 
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